nCipher is publishing three advisories numbered 12, 13 and 14
simultaneously. You are advised to review all three before taking
any remedial action.

SUMMARY
=======

Application programmers using the nCore API to calculate and verify
CBC MACs may have accidentally implemented a MAC protocol which
fails to detect certain modifications to messages it is supposed to
protect.

ISSUE DESCRIPTION
=================

1. Cause
- --------

All uses of CBC-MAC should use a fixed IV, by convention zero. The
IV should not be transmitted as part of the message. The nCipher
nCore API allows users to pass in a nonzero IV which may cause
developers to implement vulnerable systems inadvertently.

2. Impact
- ---------

An attacker could modify a message that has been protected with a
vulnerable CBC-MAC protocol implementation without this being
detected.

3. Who Is *Not* Affected
- ------------------------

The following are not affected by this advisory or by advisories 12 or 14:

- Any nCipher module supplied with or upgraded to V10 firmware 2.22.6.

- Any nFast or nForce Ultra module - as these either have no nCipher
key management or have modules with fixed firmware.

- miniHSM PCI or any other product utilizing the miniHSM as these
are supplied with firmware revision 2.22.6 or later.

- Any nToken.

- Any acceleration only module, that is all nFast modules except
nFast-KM or nFast-CA modules which are key management modules.

The following are *not* affected by this advisory or by advisory 12 but
may be affected by advisory 14:

- - Any nCipher module supplied with or upgraded to V9 firmware 2.12.x

During MAC generation, the application programmer may specify an
IV, or allow the module to choose one. The resulting M_CipherText
structure contains both the IV and the final MAC. During verification,
the application programmer specifies the IV and MAC together with
the message plaintext.

This can lead an application designer to implement the following
arrangement:

However, if the IV is transmitted as part of the message, rather
than being fixed, an attacker can modify the first block of the
message by making a corresponding modification to the transmitted
IV. Since the value of the IV is not known in advance by the
receiver this modification will not be detected:

To determine whether your application is vulnerable, check for all
the instances of a CBC-MAC verification. If all these verification
are carried out with a fixed IV, which is not obtained from the
transmitted message, then your application is not vulnerable.

If any verification is carried out with an IV obtained from an
incoming message then your application is vulnerable. Please contact
nCipher support who will assist with the remedial action.

These perform the CBC MAC sign and verification functions with a
fixed IV of all zeroes. This IV is implicit and not transmitted
in the M_CipherText structure. These mechanisms do not suffer from
the vulnerability described above; application developers are
recommended to use them instead.

The module will choose these mechanisms as the default when Mech_Any
is specified in the Sign command. Furthermore, the module will
refuse to verify ciphertexts which use a vulnerable mechanism when
Mech_Any is specified in the Verify command. (The old behaviour
is retained when a vulnerable mechanism is specified explicitly;
in these cases, the application is assumed to have checked the IV).

The CBC-MAC algorithms are not recommended by nCipher for new
designs due to their inherent security weaknesses. New designs
should use a suitable HMAC mechanism. See, for example [BKR-CBCMAC],
particularly sections 4 and 5; and [MVV-HAC], section 9.5.1 and
particularly remark 9.62.

Where CBC-MAC is already deployed, careful consideration should be given
to the protocols in use to determine the risks of successful forgery.

nCipher intends to remove the vulnerable mechanisms altogether in
a future release. If you have any information as to any compatibility
problems this might cause, please contact nCipher support.

If you would like to receive future security advisories from nCipher,
please subscribe to the low volume nCipher security-announce mailing
list. To do this, send a mail with the single word `subscribe' in
the message body to: security-announce-request (at) ncipher (dot) com. [email concealed]

(c) nCipher Corporation Ltd. 2005

All trademarks acknowledged. nCipher and payShield are trade
marks of nCipher Corporation Limited.